Hoax Subpoena E-Mails Shine Light on 'Spearphishing'

This week, hundreds of executives at some of America's most well-known companies
received e-mails that they probably didn't want to get -- even if those messages
weren't a hoax.

It was revealed on Wednesday that as many as 2,000 top managers at high-profile
corporations nationwide received e-mail messages early in the week that looked
like an official subpoena from the U.S. District Court in San Diego, Calif.

Though this hoax could have been worse, it still brings attention to the growth
of a certain modus operandi among many of the world's most sophisticated hackers:
targeted attacks under the guise of a friendly overture.

"As phishing attacks go, this one has been comparatively small. By some
estimates, the Monday wave tricked about 2,000 people and the second attack
on Wednesday scammed another 100," said Andrew Storms, director of IT security
operations at San Francisco, Calif.-based nCircle Network Security. "Though,
despite the small numbers here, this attack does highlight the new trend of
'spearphishing.' Spearphishing is the term used to denote a highly targeted
and incredibly customized version of the daily-seen phishing attack."

Since the incident, the real federal court for the Central District
of California has posted
an advisory on its Web site alerting users of the nature of the attacks
and admonishing them to report such incidents. Even the IT security think tank
SANS Institute got in on the act with notes on its homepage urging users who
receive subpoenas via e-mail to take them immediately to the company's in-house
counsel, private lawyers or federal law enforcement.

Security patches that guard against such attacks have also been relatively
prevalent in recent Patch Tuesday releases, more evidence that phishing is a
concern that isn't going away.

It All Started with Spam
Security experts say that at its roots, phishing is merely an appendage of an
age-old confidence scheme where curious, interested or greedy parties are reeled
in (hence the term "phishing") and their privileged information
stolen.

Like many others, Don Leatham of Scottsdale, Ariz.-based Lumension Security
traces the method back to the days of AOL, when dialing up to get on the Internet
sounded like fingernails scratching a chalkboard and the pages loaded slowly.

"The history can go way, way back," said Leatham, who is Lumension's
director of solutions and strategy. "The electronic, network version of
this con is typically traced back to the early '90s when access to online services
like AOL, Genie and CompuServe were fairly expensive."

However, today's attacks are more targeted and less random. They're less like fishing and more like hunting with a spear through the water -- the water being the network, in this case. Thus, spearphishing attacks are tailored e-mails that include some level of
personalized data from a trusted Web address that has been hacked and configured
to invite specific individuals.

The main challenge, security experts say, is that these narrow attacks can
fall well below the radar of Internet security systems, circumvent networks
and blend into Web-based applications, unlike the more obvious spam-blast e-mail.

Storms contends that the difference between 1990 and 2008 is that phishing
is now a full-time business with a real economic potential.

"When we think of phishing as a business, the attackers are putting dollars
into their business just like any other well-run entity," Storms said.
"They deal with supply and demand and they spend money on research and
development. As such, their tactics are becoming much more refined. However,
because the root of the problem is a human trust relationship, it's difficult
to develop technical products to mitigate the threat."

Responding to the Threat
In an e-mail to Redmondmag.com, Microsoft Senior Product Manager Mike Chan said
that as customers face external threats, they also face growing complexity,
security and privacy concerns within their own IT environment.

"As a result, IT managers don't have a complete view into the health of
their networks, which can actually breed vulnerability and security breaches.
Some employees may visit phishing sites out of curiosity, and they need to be
told in no uncertain terms: 'Don't,'" Chan wrote. "Just visiting a
phishing site can lead to malware being downloaded on to a company workstation
without the employee even realizing it, infecting the entire network."

Chan added that Microsoft thinks about this with a "defense in-depth
approach, and we offer an array of products designed to help in this regard."

Chan and others suggest that from an application-security standpoint, adopting
an "allow only the known good" or whitelisting approach is the only
way to completely stop malware or remote code execution bugs that have eluded
anti-virus detection. Moreover, shoring up firewalls and using whole hard disk
encryption can guard sensitive documents from such attacks.

Still, what's been leaving IT pros scratching their heads is something that
has nothing to do with computers: social engineering and the habits of users
in the workplace. Rank-and-file workers -- and even IT administrators --
aren't beyond checking personal e-mails and opening attachments at their workstations
on a whim, without thinking about the implications.

This is why Leatham and others say that having an undetected botnet that gathers
keystrokes and data from multiple executives' computers in a specific company
is considered one of the IT risks that organizations might face in the near
future.

As he has been known to do, Leatham emphasizes that if he were a security administrator
at a company, he would cut the situation down to brass tacks and lay out the
danger in plain English: "User education must go beyond telling people,
'Don't open attachments' or 'Don't click on any links in an e-mail.' E-mails
are for reading. Period. No downloading. No clicking."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.